The federal government has just announced that it intends to spend more than $750-million on cybersecurity. Cyber concerns are on the rise. Each year between 2014 and 2017, the Society of Actuaries's annual survey of emerging risks ranked cyber and interconnected infrastructure as the No. 1 emerging risk, passing financial volatility, demographic shifts, terrorism and retrenchment due to globalization. With increased emphasis on innovation in the federal budget and the recently announced artificial intelligence supercluster, these risks will increase.
There is evidence of serious vulnerabilities in Canada. A new national strategy is coming this year, but this is cold comfort. In February, 2011, and one year after the previous national strategy was announced, a cyberattack infiltrated key central government agencies; the government took several systems offline for weeks.
The problems are not always caused by malicious actors. In 2007, the Canada Revenue Agency uploaded a corrupted patch that forced it to take its systems offline for 10 days, which prevented the government from collecting or disseminating money online, a serious national-security issue.
Reliable information about the scope of the problem is hard to come by because security data are cloaked in secrecy. Operators of critical infrastructure are reluctant to disclose the vulnerabilities of their assets because of the risk to their organization's security, liability, share value and public image. Compared with other major threats, however, there is a lack of popular interest in cybersecurity stories. We have a database that tracks media coverage in four national newspapers of record for one year following the start of a major critical infrastructure threat or failure. In a 365-day period, The Globe and Mail, for example, ran 60 stories on the 2014 Parliament Hill shooting, 98 stories on the 2013 Alberta floods, 233 stories on the 2013 Lac-Mégantic train derailment and 340 stories on the 2009 H1N1 outbreak. In contrast, the paper ran three stories on the 2007 CRA patch mistake.
Cyber events are difficult to write about: They are nameless and faceless; accountability is unclear. When the media can identify an individual as being primarily responsible – such as Chelsea Manning or Jeffrey Delisle – media coverage increases.
People also trust the IT sector. According to Edelman, while critical infrastructure sectors such as energy and financial services hover in the mid-50s, 71 per cent of people trust the IT sector, four points higher than the second most trusted, the health sector. Regulating IT would seem anti-modern and anti-innovation in many circles.
In order to attract attention to the issue, the IT security commentators exaggerate the problem in popular discourse. They highlight worst-case scenarios, or attacks in the millions, failing to distinguish between the consequential and insignificant. They refer to the sinister capabilities of China and Russia, yet refer less to the inherent resilience of the system, the capabilities of Western democracies to defend themselves or counterattack.
When they do refer to other Western countries, it is often to point out that these other national governments are building up their cyberdefences, and therefore we should do the same. In the United States, for example, Congress has authorized funding for the National Cybersecurity Protection System to an expected total of US$5.7-billion. We read less of the criticism levelled against the U.S. administration on the matter. In 2016, the Government Accountability Office observed that the Department of Homeland Security's performance metrics do not gauge the quality, accuracy or effectiveness of the system's intrusion detection and prevention capabilities.
Given the lack of reliable data on the subject, these risks are by their nature difficult to address. There are many challenges: the integrity of elections, insider threats, extortion, industrial espionage, the protection of intellectual property and financial data.
We need to move beyond the dramatic claims that typify the cyber discourse and enhance accountability on the subject, focusing more on concrete goals and objectives, balancing our need for risk-taking for innovation with securing our critical systems.